MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79adce5b035cc593f8a511be0217da0c1b4686b9215dbd648529c2aa00e04807. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79adce5b035cc593f8a511be0217da0c1b4686b9215dbd648529c2aa00e04807
SHA3-384 hash: 601759491337d10694640be2a3faa8a08b2bf509299f32d8857b7fee532c01560d0a52141e933c2ba5fb9f2de1cdc222
SHA1 hash: 6f4aae17a0de770be7cc7e0ae184cd2d0e47f3c1
MD5 hash: aa0494dea5f5ed271c1d648d7ec71e12
humanhash: fix-delaware-sink-johnny
File name:products order pdf .exe
Download: download sample
Signature Formbook
Create hunting rule
File size:718'848 bytes
First seen:2021-05-08 06:45:07 UTC
Last seen:2021-05-08 07:57:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b124d6d7906bfbfc346167632abb74ce (3 x RemcosRAT, 2 x Formbook)
ssdeep 12288:7L4F9NDkBISBvY6gjo1gsUM6fZdLya7FC3O+U/Oy/c:7UF/SS6bqsxKB/FCzUD/c
Threatray 5'076 similar samples on MalwareBazaar
TLSH AFE49F21A7E15137E0AF1F399C2BB6B95C25FF4129E4604A2BF5BD489F7928138381D3
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153002/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Connection attempt
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/717972
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 407916 Sample: products order pdf .exe Startdate: 08/05/2021 Architecture: WINDOWS Score: 100 33 clientconfig.passport.net 2->33 35 www.poshzip.com 2->35 37 www.jobheap.com 2->37 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 9 products order pdf .exe 17 2->9         started        signatures3 process4 dnsIp5 39 cdn.discordapp.com 162.159.130.233, 443, 49713, 49714 CLOUDFLARENETUS United States 9->39 59 Writes to foreign memory regions 9->59 61 Allocates memory in foreign processes 9->61 63 Creates a thread in another existing process (thread injection) 9->63 65 Injects a PE file into a foreign processes 9->65 13 ieinstal.exe 9->13         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 13->67 69 Maps a DLL or memory area into another process 13->69 71 Sample uses process hollowing technique 13->71 73 Queues an APC in another process (thread injection) 13->73 16 explorer.exe 3 1 13->16 injected process9 dnsIp10 27 rogerecameron.com 77.72.1.27, 49737, 80 KRYSTALGR United Kingdom 16->27 29 vidasanayprospera.com 160.153.128.3, 49741, 80 GODADDY-AMSDE United States 16->29 31 17 other IPs or domains 16->31 41 System process connects to network (likely due to code injection or exploit) 16->41 20 wlanext.exe 1 16->20         started        23 ieinstal.exe 16->23         started        25 ieinstal.exe 16->25         started        signatures11 process12 signatures13 51 Creates autostart registry keys with suspicious names 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 Maps a DLL or memory area into another process 20->55 57 Tries to detect virtualization through RDTSC time measurements 20->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79adce5b035cc593f8a511be0217da0c1b4686b9215dbd648529c2aa00e04807/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-05-08 06:45:20 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgw44wydltczh6ffcg7aef62bqnunbvzefo32zeffhbkuahajadq._file
Verdict:
malicious
Similar samples:
1cfec89b2bfbcdd400f0cd58741a2d7a218bb2bbf2399b55833c6f4a64829883
Formbook
43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb
Formbook
489e0e46a5df58a3144cd7a3ecb1fd0e29aa2db5060084ec774f1d2c8c763fd9
Formbook
5acfc6aa1ccbdc619df590b1b8092e0c1687558b7f01a7015a20d2a146e60a7f
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
6c6dd45a923d7eb6fa1f114a5a4c20fab27bc03e44a5c8cb8627d43da93dfe48
Formbook
8412907b0441a1695b45e1de5e7b446d28ab00f6da416bdb2575f51eb60e9647
Formbook
84d44657f148197e79e253ab0b50cdd8003e2b760318f9ab760b47fe4e25a594
Formbook
8855c73a66320b1d62c22f7af62feb301d13e4b68f4edfba64bf47473ad58c4a
Formbook
dcea3ce074a9cc06d03641b052fe3a3f81abb72c480de228b8664dade74c4dce
Formbook
+ 5'066 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210508-tkf8l9djns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.brandonprattdrums.com/nt8e/
Unpacked files
SH256 hash:
d2807041de671bcd7b4e24961ae743675894a142f61fc58d07ee8fc0d9220155
MD5 hash:
bb521a970019b057afbbdaa5bb3c1b83
SHA1 hash:
76f6197a2db8525dd2341ec899db573dfc665972
Link:
https://www.unpac.me/results/cf9bd638-d845-4ffb-af28-e8961bb2e3a9/
SH256 hash:
8f63001a412f92b1e28e17cf0ca84b5d4fa126a661cdae11c5221b7344c26999
MD5 hash:
77fbc4c0b74cf1b87fa3804f3c4c0ff1
SHA1 hash:
721f7b2c9db79c8a34b8ad43f103b22df632d2dc
Link:
https://www.unpac.me/results/cf9bd638-d845-4ffb-af28-e8961bb2e3a9/
SH256 hash:
79adce5b035cc593f8a511be0217da0c1b4686b9215dbd648529c2aa00e04807
MD5 hash:
aa0494dea5f5ed271c1d648d7ec71e12
SHA1 hash:
6f4aae17a0de770be7cc7e0ae184cd2d0e47f3c1
Link:
https://www.unpac.me/results/cf9bd638-d845-4ffb-af28-e8961bb2e3a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetWiredRC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79adce5b035cc593f8a511be0217da0c1b4686b9215dbd648529c2aa00e04807

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153002/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-08 07:41:06 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [B0012.001] Anti-Static Analysis::Argument Obfuscation
4) [F0002.002] Collection::Polling
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0052] File System Micro-objective::Writes File
12) [E1510] Impact::Clipboard Modification
13) [C0007] Memory Micro-objective::Allocate Memory
14) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
15) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
18) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
19) [C0038] Process Micro-objective::Create Thread
20) [C0041] Process Micro-objective::Set Thread Local Storage Value
21) [C0018] Process Micro-objective::Terminate Process